ACL permit , . (. A .)???? show access-list (ACE) . permit .
Netflow.
Netflow , . Netflow , show ip cache flow , Netflow. Netflow , .
3.2. ACL .
Deny RFC 1918.
Deny, , RFC 3330.
- RFC 2827; , (AS).
:
IP-,
ICMP IP-
IPSec VPN,
ICMP ( )
(DNS)
TCP
(UDP)
FTP
TFTP
,
1. VPN
(ISAKMP)
( NAT)
( ESP)
(AH)
2. HTTP -
3. (SSL) - FTP FTP-
4. FTP
5. FTP (pasv)
6. (SMTP)
7.
8. DNS
9. DNS
ACL
ACL . , , ACL - IR1 IR2.
|
|
ACL , ACL . ACL , .
!--- - .
!--- .
access-list 110 deny ip 127.0.0.0 0.255.255.255 any
access-list 110 deny ip 192.0.2.0 0.0.0.255 any
access-list 110 deny ip 224.0.0.0 31.255.255.255 any
access-list 110 deny ip host 255.255.255.255 any
--- deny
--- (DHCP).
access-list 110 deny ip host 0.0.0.0 any
!--- RFC 1918.
access-list 110 deny ip 10.0.0.0 0.255.255.255 any
access-list 110 deny ip 172.16.0.0 0.15.255.255 any
access-list 110 deny ip 192.168.0.0 0.0.255.255 any
!--- (BGP) .
access-list 110 permit tcp host bgp_peer gt 1023 host router_ip eq bgp
access-list 110 permit tcp host bgp_peer eq bgp host router_ip gt 1023
!--- ,
access-list 110 deny ip any
!--- .
!--- ICMP.
access-list 110 permit icmp any any echo-reply
access-list 110 permit icmp any any unreachable
access-list 110 permit icmp any any time-exceeded
access-list 110 deny icmp any any
!--- DNS.
access-list 110 permit udp any eq 53 host DNS gt 1023!--- DNS DNS.
access-list 110 permit udp any eq 53 host DNS eq 53
!--- -. access-list 110 permit tcp any established
access-list 110 permit udp any range 1 1023 gt 1023
!--- ftp.
access-list 110 permit tcp any eq 20 gt 1023
!--- tftp .
access-list 110 permit udp any gt 1023 gt 1023
!--- .
!--- DNS. access-list 110 permit udp any gt 1023 host eq 53
!-- DNS DNS.
access-list 110 permit tcp host DNS gt 1023 host DNS eq 53
!--- DNS.
access-list 110 permit tcp host DNS eq 53 host DNS eq 53
!--- DNS.
access-list 110 deny udp any any eq 53 access-list 110 deny tcp any any eq 53
!--- IPSec VPN.
access-list 110 permit udp any host IPSec eq 500
access-list 110 permit udp any host IPSec eq 4500
access-list 110 permit 50 any host IPSec
access-list 110 permit 51 any host IPSec access-list 110 deny ip any host IPSec
|
|
!--- -
!--- .
access-list 110 permit tcp any host - eq 80 access-list 110 permit tcp any host - eq 443 access-list 110 permit tcp any host FTP eq 21
!--- FTP
!--- ACE permit established.
!--- PASV FTP.
access-list 110 permit tcp any gt 1023 host FTP gt 1023
access-list 110 permit tcp any host SMTP eq 25
!--- . access-list 101 deny ip any any .
log . , , ACL, log CPU. .
ICMP , ACL. . no ip unreachables IP- , () ACL.
ACL permit , - . - , deny.